DragonFlyBSD Kernel Audit
← dashboard
DF-0412

Kernel heap OOB read in ng_string_unparse via unbounded strlen on binary data without NUL terminator

Summary

ng_string_unparse(:752): ng_encode_string(raw,strlen(raw)). raw points into binary message buffer. If no NUL within buffer bounds, strlen scans past end into adjacent heap. Over-read bytes encoded and returned to user. Unlike DF-0410 no write overflow (alloc matches loop both strlen) but OOB read is the leak. Root-gated.